CWE-502 · Deserialization of Untrusted Data

2865 CVEs classified under CWE-502 (Deserialization of Untrusted Data). Browse by severity and year.

Top CVEs for CWE-502
CVESeverityScorePublishedSummary
CVE-2026-41104Critical10.02026-05-22Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.
CVE-2026-43633Critical10.02026-05-19HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and…
CVE-2026-45829Critical10.02026-05-18A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary…
CVE-2026-33819Critical10.02026-04-23Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
CVE-2026-20131Critical10.02026-03-04A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker…
CVE-2026-25632Critical10.02026-02-06EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EP…
CVE-2025-14931Critical10.02025-12-23Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attacker…
CVE-2025-55182Critical10.02025-12-03A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following…
CVE-2025-58384Critical10.02025-09-26In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc ad…
CVE-2025-10035Critical10.02025-09-18A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deseriali…
CVE-2025-42944Critical10.02025-09-09Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious…
CVE-2025-48200Critical10.02025-05-21The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution.
CVE-2025-30012Critical10.02025-05-13The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to sen…
CVE-2025-32444Critical10.02025-04-30vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration…
CVE-2024-44102Critical10.02024-11-12A vulnerability has been identified in PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1) (All versions < V3.1.2.1 with redundancy configured)…
CVE-2024-5932Critical10.02024-08-20The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 v…
CVE-2024-37099Critical10.02024-08-19Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1.
CVE-2024-5675Critical10.02024-06-06Untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker…
CVE-2024-30225Critical10.02024-03-28Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10.
CVE-2024-30224Critical10.02024-03-28Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2.